Stagefright is a remotely exploitable software bug that affects versions 2.2 and up of the Android operating system. Remotely exploitable bug allows the attacker to execute any commands of the attacker’s choice on a target process. It allows an attacker to perform arbitrary operations on the victim device through remote code execution. It is the most powerful effect a bug can have because it allows an attacker to completely take over the process. From there the attacker can potentially take complete control over the system the process is running on.
The Stagefright bug was discovered by Joshua Drake from the Zimperium security firm. After it was reported to Google. Google dispatched the Bug fix. But many Android devices are still vulnerable to stagefright flaw despite patch from Google. Now Zimperium security firm announced that it had discovered yet another way hackers could bypass an Android handset’s security. This time, the malicious code can be delivered by an audio message. Hackers can encode a piece of malware into an MP3 or Mp4 file and then propagate it.
The blog by Zimperium says-
How the attack can be triggered ?
The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.
1. An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker-controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
2. An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser
3. 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library
The latest releases of Android 5.1 “Lollipop” include actual patches against the Stagefright bug as of 10/1/2015. Google said it will dispatch a fix against the bug in Android security updates in the couple of months. As the update will be first released for Nexus devices and then to other brands so you will have to wait for the fix.
Note: There are few apps available on Play Store to detect weather your device is infected or not. You can install the app and check for the bug.